Privacy by Design:
The Future of Privacy
www.oasis-open.org
WHAT IS PRIVACY?
Privacy is not about secrecy or preventing
organizations from collecting information
Privacy is about control – personal control over
collection, use and disclosure of one’s personally
identifiable information
Best expressed by the German concept of
“informational self-determination,” a term first
used in the context of a constitutional ruling related
to personal information collected during Germany’s
1983 census
THE 7 FOUNDATIONAL PRINCIPLES
1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality – Positive-Sum, not Zero-Sum
5. End-to-End Security – Full Lifecycle Protection
6. Visibility and Transparency – Keep it Open
7. Respect for User Privacy – Keep it User-Centric
The ecosystem
Information
Technology
Accountable
Business
Practices
Physical
Design &
Infrastructure
ww
w.p
riva
cyb
ydes
ign
.ca
Security End to End Lifecycle Protection
Purpose Specification
Data Minimization
Privacy as the Default
Consent, Accuracy, Access Respect for User Privacy
Accountability, Openness, Compliance
Openness & Transparency
Proactive Not Reaction; Preventative Not Remedial
Privacy Embedded into Design
Full Functionality – Positive-Sum, not Zero-Sum
FIPPs
PRIVACY BY DESIGN (PbD)
A proactive approach to privacy that supplements privacy principles in a manner that promotes innovation, privacy, data protection and trust in the 21st century. This is consistent with a recent OECD Council recommendation where it noted that, “These [OECD] Guidelines [on the protection of privacy and transborder flows of personal data] should be regarded as minimum standards which can be supplemented by additional measures for the protection of privacy and individual liberties, which may impact transborder flows of personal data.”
IPC Philosophy: 3 C’s
Consultation: by keeping open lines
of communication
Co-operation: rather than
confrontation in resolving complaints
Collaboration: through working
together to find solutions
International Data Protection & Privacy Commissioners adopt PbD as a global standard (Jerusalem,
2010), resolve to:
recognize PbD as an essential component of privacy protection
encourage organizations to adopt it as their default mode of operation
foster its integration into law and policy in respective jurisdictions
7 Foundational Principles of PbD translated into over 35 official languages
WHY IS PBD IMPORTANT?
European Commission and Parliament encourage use of
PbD:
EC may legislate application of “privacy by design and data
protection by default” solutions for specific sectors, data
processing situations [2012 EC draft Data Protection Regulation,
arts. 23, 30]
EP Albrecht Report [2013]: data processors, controllers,
producers should ensure application of PbD principles
EU Counter-terrorism Coordinator, G. de Kerchove supported
PbD in his speech at EDPS event (Jan 2014)
Global Adoption: Europe
FTC Final Report on Protecting Consumer Privacy
[2012]:
recommends PbD as “baseline principle”
calls on companies to build in consumer privacy
protections at every stage in development of
products and services [p. 13]
DoD/US CFTC Privacy Symposium: Counterterrorism:
Privacy by Design by David Medine (2013)
Global Adoption: US
Victoria, Australia, Privacy Commissioner endorses &
will implement PbD (July 1, 2014)
Ontario Public Sector, Privacy by Design Centre of
Excellence (April 2013)
Canada Cloud Computing report (2010), Canadian
Federal Commissioner will work with Industry Canada
to consider “how best to integrate privacy by design
principles and PIAs into private sector practices”
Global Adoption: Other
Privacy Drives Innovation
The argument that privacy stifles innovation reflects a dated,
zero-sum mindset
The notion that privacy must be sacrificed for innovation is a
false dichotomy, consisting of unnecessary trade-offs
The opposite is true – privacy drives innovation – it forces
innovators to think creatively to find solutions that serve
multiple functionalities
We need to abandon zero-sum thinking and adopt a positive-
sum paradigm where both innovation and privacy may be
achieved – we need a new playbook
…..Looking to the future, continued investment is needed not only in privacy topics ancillary to security, but also in automating privacy protection…..Relevant topics include cryptography, privacy-preserving data mining, formalization of privacy policies, tools for automating conformance of software to personal privacy policy and to legal policy, ……
Report to the President: Big Data and Privacy: A Technological Perspective President’s Council of Advisors on Science and Technology May 2014.
www.oasis-open.org
The momentum behind Privacy by Design (PbD) has been growing for the past several years. It was not intended to be a theoretical, abstract framework. The question is often, “We believe in PbD … but how do we do it?” or “How does PbD translate into technical and business requirements, specifications, standards, best practices, performance criteria?”
How to Contact Us Michelle Chibba, Director, Policy and Special Projects
Information and Privacy Commissioner’s Office of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario, Canada
M4W 1A8
Phone: (416) 326-3333 / 1-800-387-0073
Web: www.ipc.on.ca
E-mail: [email protected]